MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
SHA3-384 hash: e74519b2990bc9e5d084a4dc53d43f4f6b740b643d23760720f4fbb04e42e94c4c55c6714a0969148087a33cd5e9a4b8
SHA1 hash: c27e13452bc84b1933a19f4188097a8a8f764048
MD5 hash: 9ffe57ec9ac7ef82a171d9f415ef3a84
humanhash: neptune-autumn-nineteen-wisconsin
File name:3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
Download: download sample
Signature AgentTesla
Create hunting rule
File size:681'472 bytes
First seen:2023-05-14 09:57:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:HJP0OegQVtCS3G1gSzZ2QNHRVAooaVpb3jTfTjrE5PhYccfw:HJPP1jzZ2QNHXAo1TfgTc
Threatray 3'268 similar samples on MalwareBazaar
TLSH T172E47C526125CE5BFE29DBF09564FF85A7F1B07324E1E0201FB961C9CAA5F011E4CA2A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter petikvx
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
Verdict:
No threats detected
Analysis date:
2023-05-14 10:09:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba290858-7472-4158-9ad7-6f683721cb03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389342/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66726739.27888.13730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6460b0b5ec6e5344a159805c/reports/86ebf153-3889-459b-a4ae-14b544bbcee2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5de5dba8-1dba-4c4b-aae3-92b6f883490f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232776
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 865756 Sample: UK037G712z.exe Startdate: 14/05/2023 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 6 other signatures 2->42 10 UK037G712z.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\UK037G712z.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 UK037G712z.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 3 6 14->17 injected process8 dnsIp9 30 v4g2pq7k.2022pola.com 20.239.160.173, 49698, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->30 32 www.jumshow.life 69.57.163.254, 49697, 80 FORTRESSITXUS United States 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 mstsc.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-28 21:40:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hzemq4xyph6ctnkeboceyqtyazu5fqwtyimya3imalcihfeczbxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
AgentTesla
4cdfd3ac195a3194d4a4ad72a3d3aeab0009f8b8bcdd73f7664ebeafd0023bae
AgentTesla
51054c5181fc248a1642dc3a5cdb7f353aaf5d136aa20bdc59084970e74c5a8b
AgentTesla
6e8de74475e365bdd0f573a03266f447a13f30a76cc2c71d14c1fc5607e1ae5d
AgentTesla
7ac2e4aad0054c77e7a2205d156da7032021be264702c8fa76eab7ebc44556ff
AgentTesla
7f8d1823d07c98a5ea6e9d2848faf940231df09568b4fee525f18ea59d6094bc
AgentTesla
c05150aeb82312c064d530c0570a19436d44bb0955142074a4787aa998677d6d
AgentTesla
c94cfe8d1abb19cac8d63d9b2d45cc311f04fb02f87a8fc3bde8646970a74fef
AgentTesla
f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e
AgentTesla
ff25677389d599682cc411460963f6adbff3879c2f2d3d7239312acfd57f42fe
AgentTesla
+ 3'258 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:e8fg rat spyware stealer trojan
Link:
https://tria.ge/reports/230514-lzhhqsdh2w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook payload
Formbook
Unpacked files
SH256 hash:
895f15ca9cefb2058b044c12ca33bbed2a857ca5a9c073464861224808ad061e
MD5 hash:
de26eb905c26dc8261dfeae6d176f6d7
SHA1 hash:
635149304cac3552fff59b5748e8186e27add4bc
Detections:
FormBook
Create hunting rule
win_formbook_w0
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
Parent samples :
f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e
02ea9a838872751f53f53611015ee23062c2cbc9b71a962caf500e54a145e87e
9d1779f9a627d5d1cd19c2a1f74f71eddb92cc11d8757d4ea3a2e7b315f4186d
e4355828a192e2a9680ccde52befb9d6431f21f69572156cba5197409fc7cdb6
3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
290e9c2d3b53a9c41d8cc6a76b053217cf499ff19f7a73a89335fa0ae1006579
SH256 hash:
2d20bf8d35f4c571a2e3c8617d17e3b727baa39dbd1f261f04c160cfff74aaed
MD5 hash:
12549fe4cefb15eaae5b602e9f3095e1
SHA1 hash:
c3ccb0ea6de5c373848e65e7dc571569ada1c512
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
SH256 hash:
a4ab74ada75fcc9365afa750ff1ffbab1551fb2f90c5d35546db607f0a7b00e1
MD5 hash:
5b6141366ddf00705db9b42d78f5193e
SHA1 hash:
89f6824d539108cdcc2fcc7041b1f6eeb483f379
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
SH256 hash:
3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f
MD5 hash:
9ffe57ec9ac7ef82a171d9f415ef3a84
SHA1 hash:
c27e13452bc84b1933a19f4188097a8a8f764048
Link:
https://www.unpac.me/results/331dc9ea-1bdd-4137-8b87-a80a9f14aed4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 3e48c872f879fc29b5440b844c42780669d2c2d3c219806d0c02c4839482c86f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2259322/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389342/

Comments